After trying multiple options (including PostSharp), I found a way to:
Programatically use AST C# generation (from ICSharpCode.NRefactory and O2 Platform's FluentSharp.REPL APIs) to:
- create a 'proxy' C# of an ASMX with the same exposed web methods as the original one
- by default the new proxy ASMX WebService will call the original WebService's method (think class A implements class B, with all methods in class A calling the base method from class B)
- make it easy to extend the new ASMX WebService C# code and change the data sent/received from/to the original WebService's methods.
While I was working on the solution, I created a number of (long) blog posts that explains in detail all the steps I took to create the 'proxy' C# of an ASMX.
Here are they, ordered by creation date (so if you want to see the final result, look at the last one)
- Adding O2's CSharp REPL to the Checkmarx main WebService
- Creating a REPL editor that is linked to a Code editor (with detailed step-by-step description of how I use O2 to 'evolve an C# UI via quick REPL')
- Using AST technology (from ICSharpCode.NRefactory) to script the creation of a C# file (using O2's C# REPL editor)
- Using AST to programmatically create an Asmx WebServices WebMethod invocation wrapper (for HacmeBank)
- Creating an Lambda Method that creates an Asmx WebServices WebMethod invocation wrapper
- Running the Asmx WebServices WebMethod invocation wrapper on a local WebServer (i.e Hacmebank UserManagement.asmx)
- Creating an API to create the WebServices Proxy Wrapper classes/asmx files
- Creating a WebServices Proxy Wrapper for Checkmarx’s CxWebService
- Using WebServices Proxy Wrapper to replace Checkmarx’s CWE Guidance with TeamMentor’s Articles
To give an idea on what is being described in the posts linked above, here is the script that creates the WebServices 'proxy' source files (all the way from the original WSDL)
The script shown above uses the API_ASMX_Proxy class...
...which uses AST manipulation technology like this:
... to programatically create this ASMX c# file:
...witch was used (with some extra code) to change the normal security guidance showed in CheckMarx CxClient desktop app (note the description shown for SQL Injection)
... with TeamMentor's guidance (note the description shown for Command Injection):
I'm really happy with how this 'proxy generation' technique worked out, since it scales quite well, is easy to create and I think there are tons of places it could be used:
The script shown above uses the API_ASMX_Proxy class...
...which uses AST manipulation technology like this:
... to programatically create this ASMX c# file:
...witch was used (with some extra code) to change the normal security guidance showed in CheckMarx CxClient desktop app (note the description shown for SQL Injection)
... with TeamMentor's guidance (note the description shown for Command Injection):
I'm really happy with how this 'proxy generation' technique worked out, since it scales quite well, is easy to create and I think there are tons of places it could be used:
- WebServices call monitoring/logging
- Recording and replaying of WebServices calls (useful for UnitTest's mocking)
- Security testing of WebServices (both to and from the WebServices)
- Patching vulnerabilities that exist on particular WebServices methods
